Many good questions generate some degree of opinion based on expert experience, but answers to this question will tend to be almost entirely based on opinions, rather than facts, references, or specific expertise.
If this question can be reworded to fit the rules in the help center, please edit the question.

7

That's a bit like asking if mosquitoes are more dangerous than great white sharks. It depends on your point of view, and who specifically are you assessing threat for. Mosquitoes definitely killed more people than great white sharks did, on a global historical scale. They're also more numerous. But a deep sea diver and a rain forest inhabitant might disagree which one is actually worth worrying about more.
–
TildalWaveJul 29 '14 at 13:29

1

What kind of danger?
–
user36556Jul 29 '14 at 14:08

1

→ TidalWave: your comment is the best answer to such a [✂] question: you can't put on an axis multidimensional objects (risk). Can't compare: the shark won't eat the mosquito, and the mosquito won't eat the shark!
–
daniel AzuelosJul 29 '14 at 16:58

3 Answers
3

The threat a virus impose in your system is, ideally, independent of its programming language because viruses exploit vulnerabilities in operating systems, applications, APIs etc. In this sense, a Javascript virus is as dangerous as any other virus.

Javascript is a full fledged programming language. This did not use to be the case in it's infancy as a crutch for DHTML (Dynamic HTML, whatever that was!). As a full fledged language with a full blown interpreter/compiler it is really no different than other most other languages software is written in. These days full blown desktop applications and server daemons are being written in Javascript.

One of the thinks that makes it dangerous is also the main reason it isn't more of a problem already: the original usage pattern was for browsers to execute untrusted code. Thanks in large part to Javascript becoming a full blown programming language, the web has become an free range for "applications" that you don't install but your computer executes every time you visit. This is opposed to most other languages which run somewhere where you very selectively choose which code to install and execute.

As a result, most Javascript interpreters have been designed to run in sandboxed virtual environments where they are not given access no all the API's that exist unless they are specifically granted permissions to do so.

Javascript totally has bindings for things like file system access and other "low level" functions, but most browsers opt not to expose access to these to be used by untrusted downloaded from the web. Instead they provide them with a sandbox where they can do things in a buble. Most modern browsers for example provide a "local storage" API where your app can store data, but it cannot talk to data from other websites on outside of it's sandbox on your system unless you grant it such.

Because it's expected that you will run untrusted code, Javascript interpreters in web browsers tend to be restrictive, but like any language you are really at the mercy of the quality of the compilers and interpreters.

As more and more things are being interconnected with Javascript it is likely to be a more popular malware vector. Malware in general thrives not on the most powerful language platforms but where it has the highest chance of getting executed.

"Too dangerous" is very subjective of a term. It really depends on what the JS is being used for. JS is merely a tool.

The most common (and perhaps most damaging) is called a cross site scripting attack where malicious JS redirects traffic. This traffic can be spoofed and therefore appear as trusted/secure but it really isnt. Thus, I say this attack is 'dangerous' because otherwise secure and meaningful communications (passwords/logins/etc) can be intercepted.

Additionally, JS could initiate many other kinds of targeted malware but that 'danger level' is determined by the actual malware.

Once again, you question is broad and subjective...

btw, if you are really concerned consider using something like NoScript to selectively allow JS.